- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Lively commentary on that topic came during the RSA Conference here this week as Ed Amoroso, chief security officer at AT&T, Ian Robertson, RIM director security, and Alex Stamos, partner at security firm iSec, shared a discussion panel moderated by Lookout CEO John Hering. There was a candid willingness to acknowledge that the current world, where mobile devices are tightly bound to wireless telecom provider networks, may not be the best in terms of tackling security issues that are expected to accelerate over the years.
"We're probably at the cusp of a threat that will change dramatically," said AT&T's Amoroso, who compared the current threat situation around mobile to the how the threat to PCs looked in 1988 before the onslaught of viruses and other attacks that followed.
As adoption of smartphones and tablets accelerates, the expectation is they will become a very attractive target. "We've not seen much in terms of direct attacks on mobile phones," said RIM's Robertson. But these devices are being loaded up with personal data that "from an aggressor's viewpoint," makes them "an attractive target," though the infection record today largely relies on "duping users" to open malware, for example.
Amoroso said few people realize how vulnerable the GSM wireless infrastructure is. The GSM standard included a decision "not to authenticate to the tower," said Amoroso, and although the next-generation LTE service addresses that, it remains a standards problem that needs to be fixed, especially as carriers run multiple wireless networks. "The audit community is in a total snooze fest on this topic," he said.
Pushing out security patches "takes months," commented Lookout's Hering, because in the mobile world, "so many people are involved" reviewing and approving it. "The question is, can we get that from seven months to seven weeks to seven days?"
"Patching is a big problem," acknowledged Amoroso. "You shouldn't have to do it in the first place." But in the "over the air stuff," he pointed out, "the carrier will zap you. We call it the nuke option." He acknowledged this is not an optimum situation, "Sooner or later as a group, we'll have to come to an agreement as to what we'll do" in terms of "a community for patching."
"It's a political problem," said iSec's Stamos about the situation where mobile-device makers must gave approval by the carriers to approve these types of updates. He said a lot of this situation is engendered by "the desire by the carriers to control profit streams."
In contrast, Microsoft, in its Windows patching routine, "doesn't have to go to every laptop OEM to get permission from each." Stamos added that Google has set up separate "tiers" for certain devices and customers to be patches. Overall, Stamos advocated that the mobile-device industry make a break with the current situation regarding carrier control, and especially for enterprise users, "please give these people the ability to patch their phones." The iPhone and Android devices are hard to manage in part because of this.